In part one of this Samba-3 management tip, we prepared for the big act. Now, the excitement begins. We're ready to use the net utility in the final steps in configuration of the primary domain controller.

Up to this point, no user account has been granted Windows network administrative rights and privileges. Our objective is to give the account mstone full administrative rights. This is simply achieved by making mstone a member of the Linux managersgroup. The managers group is mapped to the Windows Domain Admins group. However, life is not that simple. By default, the Domain Admin group has not rights other than to assign rights and privileges. This means that specific privileges must be assigned even to the Domain Admins group.

Create an administrative user account

Let's verify that mstone is a member of the managers group within the Linux environment:

root#> id mstone

uid=1001(mstone) gid=100(users) groups=100(users),1001(managers)

Now we must demonstrate that within Samba mstone is a member of the Domain Admins group:

Good, mstone is a member of the Windows Domain Admins group. This is achieved by way of the mapping we established by executing:

root#> net groupmap modify ntgroup="Domain Admins" unixgroup=managers

Assign rights and privileges to the domain admins group

In this step, the Domain Admins group is assigned (given, or granted) all administrative rights:

root#> net rpc rights grant "Domain Admins" \

SeMachineAccountPrivilege \

SeTakeOwnershipPrivilege \

SeBackupPrivilege \

SeRestorePrivilege \

SeRemoteShutdownPrivilege \

SePrintOperatorPrivilege \

SeAddUsersPrivilege \

SeDiskOperatorPrivilege -S violetsblue -Umstone%n3v3r2l8

Successfully granted rights.

Make the PDC a domain member

The next step is to make our PDC a member of its own domain. This step requires domain administrative privilege which mstone has. Execute the following:

root#> net rpc join -Umstone%n3v3r2l8

Joined domain ROSESARERED

It is a good practice to validate every step, as we have done so far. The domain trust account that was created by joining the domain can appear to proceed correctly, but it may not work. This can be checked simply by executing:

root#> net rpc testjoin

Join to 'ROSESARERED' is OK

Let's run a further check to see obtain the status of the domain environment:

root#> net rpc info -S violetsblue

Domain Name: ROSESARERED

Domain SID: S-1-5-21-3169455399-2908770435-3209857667

Sequence number: 1135058837

Num users: 2

Num domain groups: 4

Num local groups: 0

So far, so good!

Create additional users

So far, the net command has been used to:

map Linux groups to Windows groups;

check Windows group membership;

join the PDC to its own domain;

validate the domain account (join); and,

check domain informatio (note: not dependent on the join).

In the last step, we confirmed that there are only two Windows user accounts and four Windows group accounts.

The use of the net rpc group add facility results in Samba calling the add user script to add the account to the Linux account database (/etc/passwd), followed by addition to the passdb backend (tdbsam) specified in the smb.conf file.

Unfortunately, these accounts do not yet have a password. We must rectify that at once:

Often, it is necessary to give a user certain limited administrative privileges. An example is making it possible for a normal user to manage printing operations. In this case misty is assigned the printer management capabilities:

The net utility permits very extensive remote management of a Samba server. So far, I have demonstrated how this tool can be used to join a Samba server to its domain, add/delete/change user and group accounts, map Linux groups to Windows groups, add users to groups, and so on. The use of this tool to assign rights and privileges has also been briefly touched upon.

The next article will deal with remote GUI management tools and facilities. It will review various GUI tools that can be used to facilitate network management. Of course, some will quickly point out that if this can be made simple enough, it should be possible to delegate many day-to-day operations to senior user staff and thus reduce the cost of keeping the network operational.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy